University of Minnesota intentionally worked to introduce vulnerabilities into the mainline Linux kernel.

[t42]

On the other side who approved access of researcher with this official scope of interests in his CV:

• Ongoing Projects
  • Open-Source Security: Studying how vulnerabilities can be introduced in open source programs by
  seemingly valid patches.

https://raw.githubusercontent.com/Qiush ... QSW_CV.pdf

[rene]

That's in fact fairly fundamental to the Linux development model: not people are approved or disapproved --- latter at least until they've proven themselves untrustworthy as here --- but code is. And yes, the mentioned scarcity of review bandwidth has that be something which not many involved in that actual development process would find surprising can be abused: "obvious fixes" can in a highly complex project like an OS kernel hide a fair number of devils in their details.

[t42]

not people are approved or disapproved --- latter at least until they've proven themselves untrustworthy as here --- but code is

agree with all that but you can perceive a hint of preexisting expectations here:
The fact that the UMN IRB team believes that what Prof. Lu is doing isn't considered in scope for human experimentation means that there isn't any kind of institutional controls at UMN for this sort of behavior --- which is why a University-wide Ban may be the only right answer, unfortunately.

[rene]

Sure, nothing is ever black and white, and submissions coming from a nice .edu email address may generally be better trusted than from hotmail.com (and then on the rebound worse once something like this happens) but it's quite the idea at least. I don't expect, fully don't expect, that anyone ever read that CV even if that same information was on there before the first submission from that group: it's just not the point; the code is.

[Portreve]

“Deez University ahf Minn-ah-so-tah needs to be... puuuunished.”

[DAMIEN1307]

Ongoing Projects
• Open-Source Security: Studying how vulnerabilities can be introduced in open source programs by
seemingly valid patches.
https://raw.githubusercontent.com/Qiush ... QSW_CV.pdf

I read just enough of the PDF to see where this was going...lol...Nice Try, but he got caught...lol...DAMIEN

[MurphCID]

How arrogant of them to try this. They deserve what they get, and all the scorn that comes with it.

[rene]

Hey, you try and come up with a fresh thesis-subject for CS graduate N+1 that aims to do 'something with security' ...

[MurphCID]

Understood, but they got caught and then kept trying to lie about it. Come clean, admit what you did, promise to never do it again, and move on.

[Barbados99]

You would hope that most universities have better oversight for student research. I'll bet that this university was so embarrassed publicly by this incident that the consequences will be stiff for the people responsible for oversight and guidance of the students doing this "research" project. The "research" seems about as ethical as breaking into the local bank to "research" their security. Or setting fire to the local public library to "research" how well the fire alarms work.

It seems like the people with oversight approval (the professors who are charged with guiding these people) must be pretty irresponsible to say the least. They certainly are not qualified to advise students.

[rene]

Understood, but they got caught and then kept trying to lie about it. Come clean, admit what you did, promise to never do it again, and move on.

To be perfectly frank I am not so sure they did in fact "kept trying to lie about it". That earlier episode was eventually even published as a paper, and this time the submitter claimed the bad or useless patches to have been the result of a static code analyser, i.e., of a by said submitter written piece of software that programmatically detected, in the case I actually looked at, i.e., https://lore.kernel.org/linux-nfs/YH5%2 ... kroah.com/, a possible double-free bug.

Although it's pretty obvious from the mere fact that someone who knows that code would not make any such mistake already, and while as such Greg was quite right that manual review of the by the tool produced results should've resulted in this not being submitted, I'll admit I also had to look twice to see why that was not in fact a double-free bug. It's only very obvious to someone who knows that code (gss_release_msg() just drops a reference which was taken one line up from the in fact in the patch visible bit).

As such I expect that the submitter is in fact mostly just a lousy C programmer and that his tool is garbage. I.e., that old "never attribute to malice that which is adequately explained by stupidity" thing. That someone like Greg can't take chances --- and certainly not with any possible upside apparently being useless garbage patches even if not malicious --- sure, but well, I think submitter in this case was in fact probably more a simply incompetent doofus rather than an evil-doer.

Which would not be to say that I'm not aware of the fact that I tend to be naive...

[Barbados99]

Linux creator Linus Torvalds weighs in on the incident:

Link to the article:
https://itwire.com/open-source/torvalds ... trust.html

Torvalds was reacting to the act by a group at the University of Minnesota who sent known buggy patches to senior developer Greg Kroah-Hartman in order to write a paper.

Kroah-Hartman, normally a man who is the epitome of politeness, lost his cool when these patches were sent as it needlessly created additional work for him. He maintains the stable line of kernels.

"I don't really know what to say, I think the email thread is likely the most relevant information," Torvalds told iTWire in response to a query.

"I don't think it has been a huge deal _technically_, but people are pissed off, and it's obviously a breach of trust."

[JoeFootball]

It seems like the people with oversight approval (the professors who are charged with guiding these people) must be pretty irresponsible to say the least. They certainly are not qualified to advise students.

Sadly, one of the research paper's authors is a professor.

That said, it's difficult to believe that if this project was actually approved by a university review board, that it was represented with the full disclosure of its intended tactics. Furthermore, the tone of response from the head of the department leads me to believe that the actual procedure was being conducted without his knowledge.

[Schultz]

I wonder how Mr. Torvalds would have reacted if this came out before "they" got to him a few years ago and made him "be nice."

[Portreve]

There is also the potential for a public relations fallout from this. The same media that took Clem's blog comments and utterly misrepresented them could just as easily — along with others even in the more mainstream media — misrepresent this as a critical security lapse on the part of the Linux community, and that the Linux kennel may now have been breached permanently, meaning people and organizations should only use this platform "at your own risk", etc.

Remember the mentality level of who we're talking about (news media and general public).

[rene]

For now it seems to mosty be the University of Minnesota that has a bit of a public relations fallout here...

[JoeFootball]

An ugly situation for the University indeed, which impacts the majority of students and faculty who had no hand in the matter. I've just backspaced over what I truly want to say about that. Onward ...

The department head has announced they're investigating how this could have happened, they will take appropriate actions, and will share their findings.

The group responsible for this embarrassment (and I'm being charitable with that description) has "apologized" in an open letter to the community.

Greg KH responded, revealing that the Linux Foundation submitted a letter to the University outlining the actions that would need to be taken in order for the University to be considered for any future contributions.

[rene]

Thanks for keeping tabs; issue had already fallen from my radar again. Well... gregkh certainly is pissed

[JoeFootball]

Thanks for keeping tabs; issue had already fallen from my radar again.

I don't mean to keep up on it, but I have colleagues still giving me a hard time about it (in good-natured fun), so I have their blips on my radar. And I'm not even an alumnus of the University, so my sensitivity is admittedly an overreaction. And I think they know that, therefore I'm arguably enabling their continued prodding.

gregkh certainly is pissed

I've once again backspaced over a long-winded passionate response, but I'm in agreement for banning the University at this time. Something went wrong somewhere, and this needs to be properly addressed before any future considerations can begin to be discussed by the kernel development team. The University has said they're taking this extremely seriously, and they well should.

Regardless, let's hope that all parties can take appropriate reactive and proactive measures to mitigate this kind of thing with any future instances.

[Portreve]

The offenders should have a lifetime ban from contributing anything to the kernel, and if possible, from anything else within the libre community. I'm all for a highly punitive action in this case.

As for the University, I think they should really be put through the meat grinder on this, again punitive, but in their case to send an explicit message that nothing along these lines will be tolerated by the community.

The reason I think the punishment against the offender(s) should focus on being punitive is it's entirely too easy for them to establish new and fresh identities elsewhere; it's highly unlikely anything done to them would ever be felt — or cared about — by anyone else. Therefore, it's not at all about sending a message in that way. Also, if this were to happen and they were discovered, they could be kicked out of the community (again) with prejudice. The other side to GNU+Linux being a safe and welcoming environment must be that we protect our own, fiercely.